Upload
derek-binkley
View
199
Download
1
Embed Size (px)
Citation preview
Create a Sign On with Open ID Connect
Derek Binkley@DerekB_WI
★Lead Developer at National Conference of Bar Examiners★PHP and Java Developer★MySQL DBA★Father of Three★Home Pizza Chef★@DerekB_WI
Questions
• Yes! Please ask them.• During or at the end.
Why?
OpenID Connect is a new standardNot a lot of documentationBuilt upon Oauth 2.0 which is widespreadSign On across disconnected services
What is a sign on?
• Authentication (who are you?) • Authorization (what can you do?)
What is OpenID Connect?
A Simple Identity layer on top of OAuth 2.0Verify IdentityUser basic infoREST-likeMany client types
What is OAuth 2?
• A method of allowing authorized access to web resources without the need for usernames and passwords.
• More in Ben Ramsey's May 2016 PHP Architect article.
PHP Libraries
• Bshaffer’s oauth2-server-php library
Traditional MVC Application
Modern Distributed Architecture
Session State/Authentication
• Login maintained by connection between browser and Identity Provider
OpenID Steps1. Client prepares an Authentication Request containing the desired
request parameters. 2. Client sends the request to the Authorization Server. 3. Authorization Server Authenticates the End-User. 4. Authorization Server obtains End-User Consent/Authorization. 5. Authorization Server sends the End-User back to the Client with an
Authorization Code. 6. Client requests a response using the Authorization Code at the Token
Endpoint. 7. Client receives a response that contains an ID Token and Access Token
in the response body. 8. Client validates the ID token and retrieves the End-User's Subject
Identifier.
Setting up Your Auth Server
1. Client prepares an Authentication Request containing the desired request parameters.
• Client id• Client secret• Response Type• Scope• State
client_id/client_secret
• Specific to your application• Sets Up Return URL
Response_type
• Code• Id_token• Id_token token• Code id_token• Code token• Code id_token token
State
• Unique string saved by your app• Prevents a forged return call from Identity
Provider.
2. Client sends the request to the Authorization Server.
• Forward user to Auth Server URL• Have user post form to Auth Server
3. Authorization Server Authenticates the End-User.
• Implementation entirely up to you.• What? Isn’t this specification about
authentication?
Authentication Methods
• Something you know• Something you are• Something you have
4. Authorization Server obtains End-User Consent/Authorization.
• My app would like to access … Allow?• Optional if you are in control of all parts of the
chain.
5. Authorization Server sends the End-User back to the Client with an Authorization Code.
• Forward to client URL• Either receive error or code.• Trade code for token.
Auth Server Code
6. Client requests a response using the Authorization Code at the Token Endpoint.
• Your PHP app sends an http request back to the Identity Provider (OpenID server).
• Trades one time use code for token.
Client Code
7. Client receives a response that contains an ID Token and Access Token in the response body.
• Response back with ID token and access token• ID Token can be decrypted to ensure integrity
and details of session
Server Code
Client Code
8. Client validates the ID token and retrieves the End-User's Subject Identifier.
8. Client validates the ID token and retrieves the End-User's Subject Identifier.
Taking it further with session handling
• Sessions between App and Identity Provider don’t stay in sync.
• No way for App to check.
Modern Distributed Architecture
Logout Problem
• User logs out of Identity Provider then logins in as another user then returns to App.
• App still has access token for first login. • App won’t know immediately that token has
expired so could reveal one user’s data to another.
Embed an Iframe with Auth Server Connection
• Send message to iframe to get user’s login status.
• Handle response checking for ‘unchanged’
X-Frame-Options not enough
Content Security Policy in Apache Config
• Header set Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' *.example.com"
Thanks
• Feedback at Meetup or Joind.in• https://joind.in/event/2016-madison-php-meetings
Resources
• https://www.phparch.com/2016/05/may-2016-full-speed-ahead/• http://openid.net/specs/openid-connect-core-1_0.html• http://openid.net/specs/openid-connect-session-1_0.html• http://bshaffer.github.io/oauth2-server-php-docs/cookbook/• https://www.jwtinspector.io/